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DETAILED ACTION 
Response to Amendment 

1. This office action is in response to the amendment filed 1 1/14/05. claims 1-5, 7- 
26 and 28-45 are pending. Claims 1-5 and 7-13 are allowed. Claims 21, 23-25 and 37-41 
are objected and claims 14-20, 22, 26-36 and 42-45 are rejected. 

Drawings 

2. Figures 1 and 2 should be designated by a legend such as -Prior Art— because 
only that which is old is illustrated. See MPEP § 608.02(g). Corrected drawings in 
compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid 
abandonment of the application. The replacement sheet(s) should be labeled 
"Replacement Sheet" in the page header (as per 37 CFR 1 .84(c)) so as not to obstruct any 
portion of the drawing figures. If the changes are not accepted by the examiner, the 
applicant will be notified and informed of any required corrective action in the next 
Office action. The objection to the drawings will not be held in abeyance. 

Claim Rejections - 35 USC § 102 

3. Claims 14, 16-20, 22, 28-36 and 43-45 are rejected under 35 U.S.C. 102(e) as 
being anticipated by Hegge et al. (US 2001/0055274), hereafter referred to Hegge. 

Regarding claims 14 and 28, Hegge discloses a method to monitor a network 
switch, comprising: 

externally obtaining at least a portion of data packets received at the network 
switch (10), wherein each of the data packets comprises network address information (the 
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processor 15 identifies data flows, i.e., type of traffic, and switches packets to 
appropriate queues 20 according to flow and destination); 

extracting the network address information from the obtained portion of data 
packets (the data packets of the various data flows are transmitted to destinations through 
the plurality of egress port 30; it is inherent to extract network address information in 
order to transmit data to the destination); and 

determining port information of the network address information in response to 
the network address information extraction (the processor determines port information); 
and 

performing network analysis of said network switch (a monitor device monitors 
specific types of traffic; 0027). 

Regarding 15, Hegge discloses the method wherein port information comprises 
physical information (the port number corresponds to the physical port that the network 
switch is attached to; ingress ports 25, egress ports 30) 

Regarding claims 16 and 32, Hegge discloses that said network switch having a 
plurality of regular ports (25, 30) and a mirror port (35), said mirror port being able to 
mirror network traffic for at least one of said regular ports, wherein said portion of data 
packets are obtained from said mirror port (the switch and the test equipment are coupled 
to each other (see figure 1; and 0014). 
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Regarding claims 17, 18, 33 and 34, Hegge discloses that said network address 
information comprises source address and the destination address of said mirrored data 
packet (packets that have been transmitted using the TCP/IP protocol and it is part of this 
standard to have the source and destination addresses of the packet included in each 
packet to allow for proper routing, thus the packets received by the monitoring device 
have the source and destination addresses of where that packet came from and where they 
are going to (see 0021 and 0028)). 

Regarding claims 19 and 35, Hegge discloses the method wherein the network 
switch comprises a plurality of regular ports (25), wherein said portion of data packets 
are forwarded to said monitor device (40) by passively tapping at least one of said regular 
ports (data traffic through the switch to other ports is copied to the mirror port for 
monitoring by the IDS and the IDS itself communicates to other devices attached to the 
switch, for example a console, using the mirror port). 

Regarding claims 20 and 36, Hegge discloses that said determining step 
comprising: interrogating said switch to obtain said port information using said network 
address information (determining whether the information is a part of particular flow of 
information that is a member of pre-selected group of flows of information). 

Regarding claim 22, Hegge disclose the method wherein the network address 
information extraction and the port information determination are performed in an 
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external monitor device (packets are copied to monitoring device (40) for detecting port 
scans and flooding attack; 0014). 

Regarding claim 29-31 Hegge discloses that said port information refers to 
physical information of said network address information in said network switch (the port 
number corresponds to the physical port that the network node is attached to (see figure 

!))• 

Regarding claim 43, Hegge discloses that said network switch is a routing switch 
(the switch routs packets over a switches network (see figure 1; 0016)). 

Regarding claim 44, Hegge discloses the method further comprising associating 
the port information with information contained in the data packets ((fig.l, when traffic 
captured that traveled between the network devices, it is inherent to determine port 
information in order to forward the data packet to the destination). 

Regarding claim 45, Hegge discloses the method, further comprising performing 
network analysis of said network switch using said port information and associated data 
packet information (data traffic through the switch to other ports is copied to the mirror 
port for monitoring by the EDS and the IDS itself communicates to other devices attached 
to the switch, for example a console, using the mirror port). 

4. Claim 28 is rejected under 35 U.S.C. 102(e) as being anticipated by Ganesh et al. 
(US 2002/0067726 Al) hereafter referred to Ganesh. 
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Ganesh discloses, in Fig. 3, a method to monitor a network switch, comprising: 
externally obtaining at least a portion of data packets received at said network 
switch (50) wherein each of the data packets comprises network address information 
(search engine determine where to forward the network frame (a frame includes a 
destination address, a source address and a data field); extracting said network address 
information from the obtained portion of data packets (packet analysis and key extraction 
logic 64 extracts the source and destination address from the network frame and forwards 
the addresses to the search engine 68 and maintains the lookup table in memory 58); and 
determining port information of the network address information in response to the 
network address information extraction (forwarding decision logic 72 examines the 
results and applies a predetermined set of rules to determine whether the network frame 
should be forwarded and which port or ports it should be forwarded to (0055-0057). 

5. Claims 28, 31, 33, 34, 42, and 43 are rejected under 35 U.S.C. 102(e) as being 
anticipated by Taylor et al. (US 6,889,245 Bl). 

Regarding claim 28,Taylor discloses, in Fig. 5, a controller 502, a multi-port 
crossbar switch 506, and buffer 508. The controller 502 controls the cross bar switch 
interface and the data access through the buffer. Additionally, the controller contains a 
look up table 504 that stores routing information such as port addresses (externally 
obtaining at least a portion of data packets received at said network switch, wherein each 
of the data packets comprises network address information). Further the controller 
monitors the buffered data and inspects the header information of each packet of data 
(claimed extracting said network address information from the obtained portion of data 
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packets). In response to the header information and routing information, the controller 
causes the buffered data to be passed through the cross bar switch interface and instructs 
the cross bar switch as to which port on the cross bar switch the data packet is to be 
routed (claimed determining port information of said network address information in 
response to the network address information extraction). 

Regarding claim 3 1 , the method wherein said network address information 
extraction and said port information determination is performed in an external monitoring 
device (the controller inspects the header information of each packet of data and instructs 
the cross bar switch as to which port on the cross bar switch the data packet is to be 
routed). 

Regarding claims 33 and 34, Taylor discloses the method wherein the network 
address information comprises destination and source addresses (the controller inspects 
the header information of each packets of data for routing information, it is inherent that 
the header comprises the source and the destination addresses). 

Regarding claim 42, Taylor discloses that the controller contains a look up table 
that stores routing information such as port addresses. 

Regarding 43, Taylor discloses the method wherein the network switch is a 
routing switch (see fig. 5). 

6. Claims 26 and 42 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Hegge. 
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Hegge discloses all the claim limitations as stated above. Further, Hegge discloses 
that the processor 15 identifies data flows and queued to appropriate egress ports. 
However, Hegge does not expressly disclose at least one lookup table correlating the 
network address information with the port information. As known in the art many 
switching system use lookup tables to determine the routing of calls. Therefore, it would 
have been obvious to one of ordinary skill in the art at the time the invention was made to 
add a lookup table in the processor of Hegge in order to determine a received packet 
destination and to select an egress port (0003). 

Allowable Subject Matter 

7. Claims 1-5 and 7-13 are allowed. 

8. Claims 21, 23-25 and 37-41 are objected to as being dependent upon a rejected 
base claim, but would be allowable if rewritten in independent form including all of the 
limitations of the base claim and any intervening claims. 

Response to Arguments 

9. Applicant's arguments with respect to claims 1-5, 7-26, and 28-45 have been 
considered but are moot in view of the new ground(s) of rejection. 

Applicant argues "although the Hegge switch presumably determines port 
information, such port information is not determined in response to the extraction of 
network address information corresponding to the port information." Examiner 
respectfully disagrees. Hegge discloses that processor 15 identifies data flows and 
switches packets to appropriate queues (appropriate egress ports) according to flow and 
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destination. Packets that have been transmitted using the ATM or TCP/IP protocol and it 
is part of this standard to have the source and destination addresses of the packet included 
in each packet to allow for proper routing. 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Saba Tsegaye whose telephone number is (571) 272- 
3091. The examiner can normally be reached on Monday-Friday (7:30-5:00), First 
Friday off. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Seema Rao can be reached on (571) 272-3174. The fax phone number for the 
organization where this appHcation or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. Status 
information for unpublished applications is available through Private PAIR only. For 
more information about the PAIR system, see http://pair-direct.uspto.gov. Should you 
have questions on access to the Private PAIR system, contact the Electronic Business 
Center (EBC) at 866-217-9197 (toll-free). 
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